#####aid_begin
#description: query suspicious powershell command line executions
#id: aid2201251845
#processtype: query
#category: eventlog
#link: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-bgevent
#  1) get the sysmon/operational events where id 1, 5
#  2) fetch the suspicious powershell commandline execution
#notes:  |-
#  adversaries may abuse powershell commands and scripts for execution. powershell is a powerful interactive command-line interface and scripting environment included in the windows operating system. adversaries can use powershell to perform a number of actions, including discovery of information and execution of code. examples include the start-process cmdlet which can be used to run an executable and the invoke-command cmdlet which runs a command locally or on a remote computer 
#   o event source: sysmon
#   o schema used: "sysmon.schema"
#   o event dataset: "microsoft-windows-sysmon/operational"
#   o eventid's: '1, 5'
#####aid_end
commands:
- Format-BGEvent -Event "Microsoft-Windows-Sysmon/operational" -PropsOnly -MaxEvents 5000 -ID '1,5' -Schema "C:\BluGenie\bin\x64\Blubin\Modules\BluGenie\Configs\Schema\Sysmon.Schema" -EQLQuery "generic where true"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (1,5) and process_name == '*\\powershell.exe' and wildcard(process_command_line, '* -nop*', '* -w hidden*', '* -enc*', '* -noni*', '*Net.WebClient*', '*DownloadFile*', '*Invoke-WebRequest*', '*Invoke-Shellcode*')"